I was going through the phx.gen.auth code (all defaults, no changes) and I have a question. It looks like the generated session user_token never expires and unless a user logs out with that specific session still in cookies, it is never removed from the database. I know this isn’t supposed to be the end-all auth solution, but it seems like an avoidable security issue (never-expiring access token) and storage issue (if a site has many users all creating many sessions, it seems like it could get unwieldy). Am I missing something?
The validity is checked in the
verify_session_token/1 function (here).
The default is 60 days.
ah! Ok, thank you. Do you recommend setting up some sort of db trigger to delete old tokens?
There are a few things, which I wasn’t all too happy with the default
gen_auth output (have some pull-requests to put eventually up) and this was one of them.
I don’t think you can have a periodic / time-based “triggers” in your DB. At least not in Postgres. Although I admit I haven’t dug the more recent docs so might be that something changed.
OTOH I don’t really feel like this being a DB responsibility, even if it should theoretically be more efficient.
Therefore in my cases I have a “janitor” GenServer that periodically walks over all the stuff that might need some action upon it. One of its duties is cleaning up expired user tokens, preventing accumulation of such cruft.
Seeing that the remember me cookie uses the same token, if you wanted to increase it’s max_age you’d need to change this as well, right?